Security Experts:

Connect with us

Hi, what are you looking for?



PHP SuperGlobal Variables Increasingly Targeted by Hackers

Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.

Hackers are increasingly trying to exploit PHP ‘SuperGlobal’ variables as a way to compromise their targets, according to a new report from Imperva.

Over the course of May, Imperva identified 3,450 requests that manipulated PHP SuperGlobal variables targeting 24 web applications. These requests were generated by 27 different source IP addresses and appeared in the form of request burst floods with peaks of more than 20 hits per minute on a single application.

The source of one such attack examined by the company was traced to an Italian host server targeting two different applications. The host server did not have a malicious reputation, and in fact belonged to an Italian bank.

The firm also said it observed SuperGlobal variable manipulation occurring as part of large vulnerability scans performed by tools such as Nikto, Nessus and Acunetix. This demonstrates that SuperGlobal manipulation has become common practice integrated into security and hacking tool routines, Imperva observed.

The report also documents an attack on a vulnerable version of the PhpMyAdmin (PMA) utility.

“This utility is often bundled with other applications using the popular MySQL Database,” the report notes. “Having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Since administrators are not necessarily aware of all the bundled software, an “opt out” security model is needed. One way to achieve such an ‘opt out’ security model is by deploying a Web Application Firewall (WAF) with constant updates of security content.”

“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire Web,” said Amichai Shulman, CTO at Imperva, in a statement. “The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”

According to Imperva, organizations can mitigate these attacks by adopting a “positive security model” that specifies the allowed parameter names for each resource, thereby preventing an attacker from sending out external parameters with the same name of internal variables and overriding the internal variables’ value. In addition, SuperGlobal parameters in requests should be blocked.

“Since there is no reason for these parameters to be present in requests, they should be banned,” the firm advised.

A copy of the report, part of Imperva’s Hacker Intelligence Initiative, is available here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet